Exchange certificate deletion and reassignment?  Concerned about SMTP stopping

andy mann
andy mann used Ask the Experts™
on
I have an exchange 2013 server on prem with a second server running as a dag server.  This is also a hybrid O365 deployment.  I started getting a warning that one of the wild cards certs we purchased was about to expire, so find another one, installed it on both servers.  Since I've never done this before I thought i'd test it on the dag server first.  when i went to reassign the smtp service i received an error that said "the certificate will not be used for external TLS connections with a FQDN of "dag server" because the ca signed cert "thumbprint" takes precedence.

I googled this and get varying answers, but if this is what happens on the dag, i'm now a little frightened to try switching this out on the primary exchange server.  

I can't seem to find anyone who has actually changed out certificates on an exchange server like this, or when they do it on youtube or whatever, they don't get any errors.
Has anyone ever loaded another cert and reapplied it to the smtp service?  I really don't want to bring down this thing.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Just use https://LetsEncrypt.org certs (normal or wildcard).

LE certs have been free for years + just work + you can setup a simple CRON job (several Windows equivalents) to check for auto renewal each night + auto renew will occur 10 days before cert expires + can also restart all your services (when renewals occur) to pull in renewed certs.

LE certs - setup once + forget.

My kind of certs!
Exchange Engineer
Distinguished Expert 2018
Commented:
If your cert is about to expire you will need to create a new cert request so that you can upload to your certificate authority: see below link:
https://technet.microsoft.com/en-us/library/bb125165(v=exchg.150).aspx

After your CA issues you a new cert you will have to install the cert to your exchange servers, and I would recommend using your CA instructions on installing the new Cert to exchange.

Once you install the new cert you will need to reassign the services like SMTP, IIS, POP and so forth to the new cert. See below:
https://practical365.com/exchange-server/exchange-2013-assign-ssl-certificate-to-services/

Just a note, I would suggest getting a UCC SAN cert instead of a wild card. UCC SAN certs are recommended for Exchange.

Author

Commented:
I've already installed the new cert, it is the reassignment of services I'm worried about.  I didn't think it would be any big deal until I received the error on the second server when I went to reassign the services.

My main concern is that SMTP stops running if there is some sort of problem with the new cert.  Has this ever happened to anyone?
timgreen7077Exchange Engineer
Distinguished Expert 2018
Commented:
if you installed the cert correctly, reassigning services to the new cert will not cause an issue. that is what needs to be done.
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
provided answer to author, closing ticket unless author reopens.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial